Bug 30938 - <allow group="foo"> only matches against auxiliary groups, not primary group
Summary: <allow group="foo"> only matches against auxiliary groups, not primary group
Status: RESOLVED MOVED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: 1.5
Hardware: All All
: medium normal
Assignee: Havoc Pennington
QA Contact: John (J5) Palmieri
URL:
Whiteboard: review? for test
Keywords: patch
Depends on:
Blocks:
 
Reported: 2010-10-17 09:04 UTC by Sascha Silbe
Modified: 2018-10-12 21:07 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
[PATCH] policy: check against primary group as well, not just auxiliary groups (fd.o#30938) (1.58 KB, patch)
2010-10-28 23:55 UTC, Sascha Silbe 		Details | Splinter Review
Add a manual test for user/group info on Unix (5.99 KB, patch)
2013-08-27 18:22 UTC, Simon McVittie 		Details | Splinter Review
View All

Description Sascha Silbe 2010-10-17 09:04:01 UTC 
<allow group="foo"> only matches against auxiliary groups, not the primary one. There's no way to match against the primary group specifically and the documentation doesn't mention this limitation anywhere so I assume it's a bug.
Comment 1 Sascha Silbe 2010-10-17 09:18:54 UTC 
Patch posted on the dbus mailing list: http://lists.freedesktop.org/archives/dbus/2010-October/013635.html
Comment 2 Sascha Silbe 2010-10-28 23:55:48 UTC 
Created attachment 39878 [details] [review]
[PATCH] policy: check against primary group as well, not just auxiliary groups (fd.o#30938)

Attaching the patch to this bug as well now since I didn't get any reply on the mailing list.
Comment 3 Simon McVittie 2013-08-27 17:33:18 UTC 
(In reply to comment #2)
> [PATCH] policy: check against primary group as well, not just auxiliary
> groups (fd.o#30938)

Is this still wrong in 1.6.x? On what operating system?

As far as I can see, DBusUserInfo.group_ids is meant to be filled with all the groups (specifically including the primary GID), but fill_user_info() in dbus-sysdeps-unix.c omits the primary GID on the HAVE_GETGROUPLIST code path. I'd prefer to fix it in fill_user_info() rather than working around it elsewhere.
Comment 4 Simon McVittie 2013-08-27 18:22:51 UTC 
Created attachment 84739 [details] [review]
Add a manual test for user/group info on Unix

---

This seems to work fine for me, on Debian unstable (early development of Debian 8) with Linux 3.10 and glibc 2.17. I get my primary group ID in both primary_gid and group_ids[0], as documented.
Comment 5 Chengwei Yang 2013-11-24 13:12:20 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > [PATCH] policy: check against primary group as well, not just auxiliary
> > groups (fd.o#30938)
> 
> Is this still wrong in 1.6.x? On what operating system?
> 
> As far as I can see, DBusUserInfo.group_ids is meant to be filled with all
> the groups (specifically including the primary GID), but fill_user_info() in
> dbus-sysdeps-unix.c omits the primary GID on the HAVE_GETGROUPLIST code
> path. I'd prefer to fix it in fill_user_info() rather than working around it
> elsewhere.

I see on the HAVE_GETGROUPLIST code path in fill_user_info() call getgrouplist(3) to fill user group list. Which does return the primary group as well auxiliary groups.
Comment 6 Simon McVittie 2014-09-23 14:47:27 UTC 
(In reply to comment #3)
> Is this still wrong in 1.6.x? On what operating system?

Please answer, and preferably try the manual test that I attached.
Comment 7 GitLab Migration User 2018-10-12 21:07:18 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/dbus/dbus/issues/32.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.